DragonFlyBSD Kernel Audit
← dashboard
DF-0366

Lockless sc_count pre-check in lagg_start races with port destroy causing divide-by-zero panic

Summary

lagg_start(:1758-1763) reads sc->sc_count WITHOUT any lock as early-exit guard, then takes LAGG_RLOCK(:1766 = lockmgr LK_SHARED) and calls sc_select_tx_port(:1773). RR mode: p%=sc->sc_count(:1860). LB mode: p%=sc->sc_count(:2036). Concurrent port destroy (lagg_port_destroy under LAGG_WLOCK) decrements sc_count 1->0 in window between lockless check and RLOCK acquire -> modulo by zero -> CPU exception -> kernel panic. Triggerable by concurrent traffic + last port removal (hotplug/ifdetach).